override-{a[1, 3}, other}: add overrides for Akamai and some AP-based IP hijackers
Commit Message
Those came to my attention last night... These two "Cloud Innovation
Ltd." networks are especially interesting, since they strongly suggest
to be hijacked or stolen from AFRINIC for the sole purpose to be routed
by various dirty networks worldwide. Some of them host a decent amount
of phishing and C&Cs, while others seem to be used as proxy
infrastructure by miscreants, which is why an A1 flag seems to be
justified from my point of view.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
overrides/override-a1.txt | 21 +++++++++++++++++++++
overrides/override-a3.txt | 10 ++++++++++
overrides/override-other.txt | 35 +++++++++++++++++++++++++++++++++++
3 files changed, 66 insertions(+)
Comments
Peter Müller wrote:
> +net: 45.192.0.0/12
> +descr: Cloud Innovation Ltd.
> +remarks: hijacked AFRINIC IP chunk owned by an offshore company,
> routed to several dirty networks worldwide, cannot tell what is going on here
Would it be possible to make 'py -3 location lookup' etc.
return these important 'remarks'? Maybe a '--verbose' lookup
flags could return this?
Hello,
Currently those strings are not stored in the database for space reasons.
What would be your use-case for them?
-Michael
> On 13 Dec 2020, at 18:37, Gisle Vanem <gisle.vanem@gmail.com> wrote:
>
> Peter Müller wrote:
>
>> +net: 45.192.0.0/12
>> +descr: Cloud Innovation Ltd.
>> +remarks: hijacked AFRINIC IP chunk owned by an offshore company,
>> routed to several dirty networks worldwide, cannot tell what is going on here
>
> Would it be possible to make 'py -3 location lookup' etc.
> return these important 'remarks'? Maybe a '--verbose' lookup
> flags could return this?
>
Hi Gisle,
>> +net: 45.192.0.0/12
>> +descr: Cloud Innovation Ltd.
>> +remarks: hijacked AFRINIC IP chunk owned by an offshore
>> company,
>> routed to several dirty networks worldwide, cannot tell what is going
>> on here
>
> Would it be possible to make 'py -3 location lookup' etc.
> return these important 'remarks'? Maybe a '--verbose' lookup
> flags could return this?
>
while it would be certainly possible to do so in technical terms
(although it requires some changes to the libloc database format, as
Michael pointed out), I prefer to not do so:
libloc is not intended to be a reputation database for IP addresses.
There are more sources available for this purpose than I can list, each
of them satisfying a different need. One needs to fight spam at the SMTP
level, another worries about login attempts from infected PCs, and so
on. One size never fits all.
In retrospective, my remark regarding this network is therefore
misguiding. Personally, I strongly recommend against accepting any
traffic from or to (!) IP space owned by "Cloud Innovation Ltd." et al.,
but libloc should not reflect that.
Our override policies - if I may put it that way - are explained at the
beginning of each override file. While it is impossible to assign
45.192.0.0/12 a different and more meaningful country code than SC
(Seychelles) due to the fact that some chunks _are_ correctly flagged,
flagging it as a source for anonymous traffic seems to be justified.
Needless to say, there are good reasons to let an offshore letterbox
company run a business, especially when it comes to hosting high-risk
content (positive examples are investigative journalism and
whistle-blowing, while we are all aware of the negative ones). "Cloud
Innovation Ltd." strongly reminds me of an ongoing AFRINIC IP hijacking
operation similar to these:
-
https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html
-
https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html
IP address space owned by them is a virtual no man's land. Do not
process any traffic related to it, but please do not rely on libloc to
provide you with a list of such IP networks or Autonomous Systems.
Something like Spamhaus DROP (https://www.spamhaus.org/drop/) might be a
better choice - these lists are explicitly compiled and provided for a
"drop all traffic" purpose.
Thanks, and best regards,
Peter Müller
@@ -406,6 +406,11 @@ descr: Express VPN International Ltd
remarks: VPN provider
is-anonymous-proxy: yes
+net: 45.192.0.0/12
+descr: Cloud Innovation Ltd.
+remarks: hijacked AFRINIC IP chunk owned by an offshore company, routed to several dirty networks worldwide, cannot tell what is going on here
+is-anonymous-proxy: yes
+
net: 45.220.72.0/22
descr: Low budget VPN service
remarks: VPN provider
@@ -611,6 +616,11 @@ descr: CloudMine NET
remarks: VPN provider [high confidence, but not proofed]
is-anonymous-proxy: yes
+net: 92.118.204.0/22
+descr: Mo's Operations GmbH
+remarks: VPN provider [high confidence, but not proofed]
+is-anonymous-proxy: yes
+
net: 94.199.160.0/23
descr: MIK Telecom VPN pool
remarks: VPN provider
@@ -801,6 +811,11 @@ descr: WIFI and PROXY NET / Atlantique Telecom
remarks: VPN provider [high confidence, but not proofed]
is-anonymous-proxy: yes
+net: 154.192.0.0/11
+descr: Cloud Innovation Ltd.
+remarks: hijacked AFRINIC IP chunk, owned by suspicous offshore company, scattered across dirty networks worldwide - not a safe place to go
+is-anonymous-proxy: yes
+
net: 161.129.60.0/24
descr: 10VPN Hosting
remarks: VPN provider
@@ -1167,6 +1182,11 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie
remarks: large IP chunk mostly used by VPN providers
is-anonymous-proxy: yes
+net: 196.61.192.0/20
+descr: Inspiring Networks LTD
+remarks: hijacked (?) IP network owned by an offshore company [high confidence, but not proofed]
+is-anonymous-proxy: yes
+
net: 197.221.161.0/24
descr: VPNClientPublics
remarks: VPN provider
@@ -1195,6 +1215,7 @@ is-anonymous-proxy: yes
net: 202.9.16.0/20
descr: VPNsolutions Pty Ltd
remarks: VPN provider
+
is-anonymous-proxy: yes
net: 202.152.146.0/24
@@ -25,6 +25,16 @@ descr: DirectNIC, Ltd.
remarks: Generic anycast network [high confidence, but not proofed]
is-anycast: yes
+aut-num: AS16625
+descr: Akamai Technologies, Inc.
+remarks: Worldwide CDN, does not make sense to assign their networks to a specific country
+is-anycast: yes
+
+aut-num: AS20940
+descr: Akamai International BV
+remarks: Worldwide CDN, does not make sense to assign their networks to a specific country
+is-anycast: yes
+
aut-num: AS31529
descr: DENIC eG
remarks: TLD operator's anycast network
@@ -28,6 +28,16 @@ descr: KLAYER LLC
remarks: part of the "Asline" IP hijacking gang, traces back to AP region
country: AP
+aut-num: AS22769
+descr: DDOSING NETWORK
+remarks: IP hijacker located somewhere in AP, massively tampers with RIR data
+country: AP
+
+aut-num: AS24009
+descr: HK UNITE TELECOMMUNICATIONS DEVELOPMENT LIMITED
+remarks: IP hijacker (?) located in HK, tampers with RIR data
+country: HK
+
aut-num: AS24700
descr: Yes Networks Unlimited Ltd
remarks: traces to UA, but some RIR entries seem to contain garbage (VG)
@@ -43,6 +53,11 @@ descr: IP Interactive UG (haftungsbeschraenkt)
remarks: ISP located in BG, but RIR data for announced prefixes contain garbage
country: BG
+aut-num: AS35251
+descr: NetLab
+remarks: tampers with RIR data, most probabyl located in HK
+country: HK
+
aut-num: AS35478
descr: Buena Telecom SRL
remarks: ISP located in RO, but RIR data for announced prefixes contain garbage
@@ -123,11 +138,21 @@ descr: Network Dedicated SAS
remarks: bulletproof ISP, claims to be located in CH, but traces to NL
country: NL
+aut-num: AS62468
+descr: VpsQuan L.L.C.
+remarks: claims to be located in US, but traces to HK
+country: HK
+
aut-num: AS134548
descr: DXTL Tseung Kwan O Service
remarks: tampers with RIR data, traces back to AP region
country: AP
+aut-num: AS137443
+descr: Anchnet Asia Limited
+remarks: IP hijacker located in HK, tampers with RIR data
+country: HK
+
aut-num: AS137951
descr: Clayer Limited
remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region
@@ -213,6 +238,16 @@ descr: FlokiNET Ltd.
remarks: fake offshore location (SC), traces back to RO
country: RO
+net: 45.93.16.0/22
+descr: IPv4 Superhub Limited
+remarks: network owned by an HK company, traces back to HK as well - but is assigned to DE. Nice try...
+country: HK
+
+net: 45.134.144.0/22
+descr: IPv4 Superhub Limited
+remarks: same as 45.93.16.0/22
+country: HK
+
net: 45.145.36.0/22
descr: GlobalCache Technology CO., Ltd.
remarks: claims to be located in DE, but traces back to HK